In association with heise online

10 September 2008, 16:28

Microsoft closes four security holes on September's Patch Tuesday

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Today is Patch Tuesday, and Microsoft is distributing four patch packets as announced. They close critical vulnerabilities in Media Player, Media Encoder, Microsoft Office, and Windows system components for graphics display (GDI+). Microsoft describes the details in four technical bulletins, MS08-052 to MS08-055. The bulletins state that all of the vulnerabilities described can be used to remotely inject malicious code. But attackers first have to get users to open manipulated files or websites.

The GDI+ problems – see MS08-052 – affect all current Windows versions since Windows XP and can occur in the handling of files in the formats VML, EMF, GIF, WMF and BMP. The flawed version of the library gdiplus.dll is found in various Office suites in addition to the Report Viewer and Microsoft's SQL Server 2005. While Redmond states that Internet Explorer is only vulnerable as IE6 under Windows 2000 SP4, in fact all Internet Explorer users are in danger. For instance, websites can send out specially crafted files that exploit one of these security holes when opened.

Windows Media Encoder 9 installs a vulnerable ActiveX control called WMEX.DLL – see MS08-053, which means that this security hole can also be exploited via Internet Explorer when users visit specially crafted websites. As a workaround, Microsoft writes that the kill bit can be set for the control: CLSID A8D3AD02-7508-4004-B2E9-AD33F087F43C.

The hole in Windows Media Player only affects the current version 11 of the program – see MS08-054. The programming error can occur when audio files with unusual sampling frequencies are visualized. As a workaround, the advisory describes how to disable the vulnerable DLL by using command line command Regsvr32.exe -u %WINDIR%\system32\wmpeffects.dll – or syswow64 instead of system32 on 64-bit systems.

Microsoft Office XP, 2003 and 2007 as well as OneNote 2007 with and without SP1 contain a vulnerability in the OneNote Handler – see MS08-055, which handles URLs in the onenote:// format. OneNote is a notebook function that is also available as part of the Microsoft office suite. When OneNote is used as an independent application, Redmond categorizes the flaw as critical, whereas it is only "important" as part of an Office suite.

Microsoft recommends that all of the patches be installed immediately. The update mechanisms in Windows and Microsoft Office generally handle this task automatically. Users and administrators should not delay any longer than necessary.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit